Nuwar.B
Nuwar.B is a backdoor Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, registry entries and registry values. Threat behavior Please note that there may be several minor variants of this Trojan circulating in the wild, and that while functionally identical, they may contain small differences with regards to file names used, events created, etc. As such we have listed two such variations for each behavior listed below. When executed, Nuwar.B peforms the following actions. *Creates configuration file \windev-peers.ini or \vdo_g.ini which contains a list of peers to connect to initially (see Backdoor Functionality section below for further detail). *Drops a kernel driver \windev-xxxx-xxxx.sys or \vdo_xxxx-xxxx.sys (where xxxx describes a four character alphanumeric string of randomly generated content - for example "C:\WINDOWS\System32\windev-42a7-127d.sys"). The driver is then installed, using the file name, minus the extension, as the display name (for example - "windev-42a7-127d"). *Enumerates kernel and file system drivers in the Service Control Manager database. Any previously installed drivers (with names beginning with 'windev-' or 'vdo_') are stopped and then deleted from the database. The corresponding ".sys" file is then deleted from disk. *Creates a mutex named either "A8dK894Lm9#sF2i$sOBq2X" or "K8JT6Hnjm$#jui#WWhHHgG", which the Trojan uses as a marker to prevent re-installation attempts if the driver is already running. *Injects a malicious payload into "services.exe". The consequence of this action will make any network activity appear to originate from services.exe. *Attempts to modify "Windows Time" configuration settings. Note: refers to the Windows system folder. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME). Advanced Stealth Features The driver, hides files, registry keys and registry values beginning with the strings "windev-" or "vdo_" by hooking the following functions: *NtEnumerateKey *NtEnumerateValueKey *NtQueryDirectoryFile Backdoor Functionality The component that was injected into services.exe attempts to join a malicious peer-to-peer network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to perform several actions including: *gathering e-mail addresses from files with the following file extensions on all fixed drives on the infected computer: .adb .asp .cfg .cgi .dat .dbx .dhtm .eml .htm .jsp .lst .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml The Trojan avoids addresses that contain the following substrings: @avp. @foo @iana @messagelab @microsoft abuse admin anyone@ bsd bugs@ cafee certific contract@ f-secur feste free-av gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip *Perform Denial of Service (DoS) attacks. *Compose and send e-mail to addresses that may be supplied via the peer-to-peer network. This function can be used to send spam or to distribute additional malicious threats. *Download and execute arbitrary files, including files that self-update. Category:Microsoft Windows Category:Win32 Category:Backdoor Category:Win32 backdoor Category:Trojan Category:Win32 trojan